Healthcare Cybersecurity Expert Faults Focus on ‘Symptoms’ of Problem

Posted June 11, 2017

Cybersecurity expert Kevin Fu on Sunday urged medical device makers to more vigorously design security into their products and called on hospitals to take a prioritized and focused approach to dealing with cyberthreats.

“If you try to build security after the fact, it is going to fail,” Fu said during the AAMI 2017 Conference & Expo, as he made the case for cybersecurity to be front and center in the design and development of medical devices.

As for healthcare delivery organizations, Fu said they are too distracted by the general threat posed by hackers, as opposed to taking a “clinically relevant” approach to the problem.

“Are we secure? The answer is ‘no.’ What’s your next question?” said Fu, who is chief scientist of Virta Labs, Inc. and director of the Archimedes Center for Medical Device Security and the Security and Privacy Research Group at the University of Michigan.

That question, he said, should either be how quickly could a hospital recover from a cyberattack or how well will the system tolerate threats. Stakeholders, he stressed, should “focus on availability of care” when it comes to evaluating the importance of any given cyberthreat.

“We have too much attention on treating the symptoms,” he added. Fu delivered the Dwight E. Harken Memorial Lecture at the conference, focusing on the history of medical device security and the road ahead.

With procurement, Fu called on HTM professionals to take a more assertive posture in ensuring that vendors address cybersecurity when selling new devices or technologies. An inventory is crucial, he said, just to get a handle on the potential problem. “You can’t protect what you don’t know,” Fu told attendees.

Clinical relevance relates to the challenge of prioritization, and all parties should consider the challenge from this vantage point: “How do we protect providers from widespread unavailability of care?”

Describing impediments to effective cybersecurity practices, Fu listed what he described as the “fearsome four”:

An incomplete cyber inventory.

Vendors who make security hard.

An overwhelming number of security testing tools, which providers struggle to keep up with.

An overreliance on segmentation as an answer. While necessary, Fu counseled that segmentation was not enough.

Fu urged the crowd to “take a look” at an AAMI technical information report, TIR57, which deals with medical device risk management. He described it as a tool that could help healthcare facilities and manufacturers take a proactive and comprehensive look at the problem.